According to a draft analysis reviewed by CNN.
The vulnerabilities have never been exploited in an election and would require physical access to voting equipment or other extraordinary criteria that standard election security practices preclude, according to analysis by US Cybersecurity and Infrastructure Security Agency.
But because the subject is Dominion voting equipment, which has been the target of conspiracy theorists who falsely claim there was large-scale fraud in the 2020 election, federal, state and locals are bracing for election deniers to try to weaponize news of the vulnerabilities. before the midterm elections.
“While these vulnerabilities pose risks that should be promptly mitigated, CISA has no evidence that these vulnerabilities have been exploited in elections,” says CISA’s draft advisory, which the agency shared on Friday. during a briefing with national and local authorities.
The Washington Post first report on the CISA notice.
In preparation for disclosing software vulnerabilities, CISA on Friday updated its “Rumor controlwhich he used to refute allegations of voter fraud in the 2020 election, with a new entry.
“The existence of a vulnerability in election technology is not evidence that the vulnerability has been exploited or that the results of an election have been impacted,” reads the new publication from Rumor Control.
The vulnerabilities affect a type of Dominion ballot-tagging device known as Democracy Suite ImageCast X, according to the CISA advisory, which is only used in certain states.
“We are working closely with election officials to help them address these vulnerabilities and ensure the continued security and resilience of America’s election infrastructure,” CISA Executive Director Brandon Wales said in a statement. at CNN. “It should be noted that standard state election security procedures would detect exploitation of these vulnerabilities and, in many cases, prevent attempts altogether. It is therefore very unlikely that these vulnerabilities could affect an election. »
The CISA analysis is an assessment of the security of Dominion Voting Systems’ ballot-marking devices conducted by a University of Michigan computer scientist at the request of plaintiffs in a long-running lawsuit against the Secretary of State. State of Georgia.
The computer scientist, J. Alex Halderman, had physical access for several weeks to Dominion ballot marking devices, which print a ballot after voters have made their choice on a touch screen.
Halderman’s report is still under seal with the court.
But according to Halderman and people who have seen the report, it claims to demonstrate how flaws in the software could be used to alter the QR codes printed by ballot marking devices, so that those codes do not match the vote recorded by the reader. Post-election audits, which compare paper trails with votes recorded on machines, could detect the discrepancy.
The nature of computing means that all software has vulnerabilities if you look closely enough, and software used in elections is no different. But election experts say physical access controls and other layers of defense, along with post-election audits, help mitigate the threat of vote manipulation via cyberattacks.
The CISA disclaimer notes that most jurisdictions using the tested machines have already adapted the agency’s recommended mitigations. Dominion has provided machine updates to address the vulnerability, a person briefed on the matter said.
CNN has contacted Dominion for comment.
Separately, the Georgia secretary of state’s office released a statement on Friday on a review of the state’s electoral systems conducted by Miter Corp., a federally funded nonprofit. Although the Miter report has not been made public, Gabriel Sterling, Georgia’s deputy secretary of state, said in a statement Friday that the report showed that “existing procedural safeguards make it extremely unlikely that a bad actor will actually exploit vulnerabilities”.